Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.

["Laszlo Ersek" <lersek@redhat.com>]

On 09/04/20 03:34, Ni, Ray wrote:
> Why do we need a new PCD to control such check? Under what circumstance the PCD is false?

Under *all* circumstances, except when the platform wants to be
compatible with the UEFI application that manually moves the GDT or IDT
or CR3 above 4GB.

To repeat my earlier point: I consider the actions of this UEFI
application *invalid*. The UEFI spec does not authorize UEFI
applications to mess with low level concepts such as IDT / GDT / CR3.
All that stuff belongs to platform / DXE drivers. So if a UEFI
application messes with them anyway, breakage is *expected*.

In other words, I consider this patch to be adding compatibility with an
invalid UEFI application. That's fine (I assume Eric has a good reason
for asking for this compatibility -- must be an important or high
profile application), but we should *not* pessimize other platforms.
This is the reason for the Feature PCD -- on platforms that do not care
about compatibility with this application, the compiler should be able
to optimize away all this IDTR / GDTR / CR3 checking.

> We may need to move such check out of MpLib.c.

Yes, I agree. Minimally, it should go into the DXE instance of
MpInitLib. Another option is to move it out to CpuDxe.

> Because when bps runs at 32bit mode, AP doesn’t need to switch to long mode, such check is not needed and also always passes.

Yes, that's a further possible refinement. Restrict the logic to

  FeaturePCD && DXE && X64

> We should not assume PEI runs at 32 bit mode.

The PEI phase is irrelevant here -- by the time the UEFI application
runs, PEI is gone. So indeed PEI components / lib instances should not
be changed in any way.

(Note: as I said earlier, if someone can show that edk2 *itself* has
this problem, that is, GDT / IDT / CR can be set above 4GB *without*
using this particular UEFI shell application, then we have a more
serious problem. But in that case, it's not MpInitLib or the MP services
protocol that we need to fix -- instead, we need to fix the
*allocations* / placements themselves, so that they be under 4GB.)

Thanks
Laszlo

> 
> ________________________________
> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Laszlo Ersek <lersek@redhat.com>
> 发送时间: Friday, September 4, 2020 3:55:47 AM
> 收件人: Dong, Eric <eric.dong@intel.com>; devel@edk2.groups.io <devel@edk2.groups.io>
> 抄送: Ni, Ray <ray.ni@intel.com>
> 主题: Re: [edk2-devel] [PATCH v2] UefiCpuPkg/MpInitLib: Add check for CR3/GDT/IDT.
> 
> On 09/03/20 21:00, Laszlo Ersek wrote:
> 
>> (10) More importantly, ValidCR3GdtIdtCheck() should not be called in the
>> Worker functions for StartupAllAPs, StartupThisAP, SwitchBSP, and
>> EnableDisableAP, in "UefiCpuPkg/Library/MpInitLib/MpLib.c".
>>
>> Instead, the calls should be made in the DXE instance of the library
>> ("UefiCpuPkg/Library/MpInitLib/DxeMpLib.c"), at the very top of the
>> functions:
>>
>> - MpInitLibStartupAllAPs
>> - MpInitLibStartupThisAP
>> - MpInitLibSwitchBSP
>> - MpInitLibEnableDisableAP
>>
>> Here's why:
>>
>> (a) The symptom does not affect the PEI phase -- by the time the UEFI
>> application is executed, the PEI phase has ended; there's no need to
>> modify the PEI instance of the library.
>>
>> (b) The currently proposed failure exits are too late. For example, in
>> the SwitchBSPWorker() function, by the time we exit, we have called
>> DisableApicTimerInterrupt(), SaveAndDisableInterrupts(), and
>> DisableLvtInterrupts() -- and the error path does not restore the
>> original environment.
>>
>> (c) According to the PI spec (v1.7), the StartupAllAPs(),
>> StartupThisAP(), SwitchBSP(), EnableDisableAP() member functions of
>> EFI_MP_SERVICES_PROTOCOL may only be called on the (current) BSP.
>> Because of this, it is OK to call ValidCR3GdtIdtCheck() as the very
>> first action in the above-listed DxeMpLib functions.
>>
>> (Assuming the protocol members are called from an AP, and consequently
>> we check CR3 / GDTR / IDTR on the AP (and not on the BSP), that's the
>> *caller's* fault, per spec!)
> 
> This means we can move the ValidCr3GdtIdtCheck() function to
> "DxeMpLib.c", and it is not necessary to modify "MpLib.h".
> 
> Thanks
> Laszlo
> 
> 
> 
>